Spring SecurityContext 返回空身份验证

Question

我使用Spring Security进行用户认证，但是当用户未登录时SecurityContext为null。

在我的 web.xml 我有：

 <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>
        org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>ERROR</dispatcher>
</filter-mapping>

在我的 security.xml 我有

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:http="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <!-- Static resources such as CSS and JS files are ignored by Spring Security -->
    <security:http pattern="/resources/**" security="none" />

    <security:http use-expressions="true">
        <!-- Enables Spring Security CSRF protection -->
        <security:csrf/>
        <!-- Configures the form login -->
        <security:form-login
                login-page="/login"
                login-processing-url="/login/authenticate"
                authentication-failure-url="/login?error=bad_credentials"
                username-parameter="username"
                password-parameter="password"/>
        <!-- Configures the logout function -->
        <security:logout
                logout-url="/logout"
                logout-success-url="/home"
                delete-cookies="JESSIONID"/>

        <security:intercept-url pattern="/**" method="GET" access="permitAll"/>
        <security:intercept-url pattern="/user/register" method="POST" access="permitAll"/>

        <!-- These operations are protected. -->
        <security:intercept-url pattern="/product/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>
        <security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>
        <security:access-denied-handler error-page="/login"/>

        <!-- Adds social authentication filter to the Spring Security filter chain. -->
        <security:custom-filter ref="socialAuthenticationFilter" before="PRE_AUTH_FILTER" />
    </security:http>

...其他配置...

我得到 null 的代码是：

HttpSession session = request.getSession(true);
SecurityContext securityContext =(SecurityContext) session.getAttribute("SPRING_SECURITY_CONTEXT");
Authentication authentication = securityContext.getAuthentication();
user = (Object) authentication.getPrincipal();

但是当没有用户登录时，我得到 null securityContext。任何我做错的地方的帮助

Answer 1

来自http://docs.spring.io/spring-security/site/docs/3.0.x/reference/anonymous.html：

...请注意，“匿名身份验证”的用户和未经身份验证的用户之间在概念上没有真正的区别。 Spring Security 的匿名身份验证只是为您提供了一种更方便的方式来配置您的访问控制属性。例如，对 getCallerPrincipal 等 servlet API 调用的调用仍将返回 null，即使 SecurityContextHolder 中实际上存在匿名身份验证对象。

还有其他一些匿名身份验证很有用的情况，例如当审计拦截器查询 SecurityContextHolder 以确定哪个主体负责给定操作时。 如果类知道 SecurityContextHolder 始终包含一个 Authentication 对象并且永远不会为空，则可以更稳健地编写类。

这样的设置（也来自引用页面）：

<bean id="anonymousAuthFilter"
  class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
  <property name="key" value="foobar"/>
  <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
</bean>
<bean id="anonymousAuthenticationProvider"
  class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
  <property name="key" value="foobar"/>
</bean>

..并从以下位置调整您的 security.xml 条目：

permitAll

..to:

ROLE_ANONYMOUS

应该始终为您提供Securitycontext/Authentication 对象（但不一定提供“主体”）。